A critical remote code execution vulnerability in FreeBSD’s default DHCP client (dhclient) allows a rogue DHCP server on the same network to execute arbitrary commands with root privileges, affecting all supported versions of FreeBSD.
The FreeBSD Project issued Security Advisory FreeBSD-SA-26:12.dhclient on April 29, 2026, disclosing a severe injection flaw in dhclient(8)the system’s default IPv4 DHCP client.
Tracked as CVE-2026-42511, the vulnerability allows every unpatched FreeBSD system running dhclient to be weaponized with no user interaction required and no available workaround beyond patching.
At its core, the flaw stems from a dangerously simple input-sanitization failure in dhclient’s lease file handling. The BOOTP file field a parameter transmitted by a DHCP server during the offer stage to indicate a bootstrap file path is written directly into the dhclient lease file without escaping embedded double-quote characters.
FreeBSD dhclient Vulnerability
This omission makes it trivially possible for an attacker-controlled DHCP server to inject arbitrary dhclient.conf directives into the lease file. The injected payload lies dormant in the lease file until the system re-parses it, most critically, upon reboot or dhclient restart.
At this point, the attacker-controlled field is passed to dhclient-script(8), a privileged shell script that evaluates it. Because dhclient-script(8) runs in the context of the root user, the evaluated attacker payload achieves full root-level code execution on the compromised host.
The attack requires the adversary to be co-located on the same broadcast domain (subnet) as the target, enabling them to deploy or simulate a rogue DHCP server and respond to DHCP requests faster than the legitimate server. This is a classic DHCP starvation/spoofing setup, well within reach of:
- An insider threat or compromised internal host
- A threat actor with a foothold on a corporate LAN or cloud VLAN
- An attacker conducting a man-in-the-middle attack on an unsegmented network
- A malicious actor on a shared Wi-Fi or hosting environment
Once the rogue server delivers a crafted DHCP offer with a specially formatted BOOTP file field, the victim system silently stores the malicious payload in its lease file. The exploit does not require any interaction from the system administrator or user. Execution is deferred to the next dhclient re-invocation, making it a persistent, stealthy attack vector that survives across sessions.
SANS Analysts noted in their May 1, 2026, briefing that despite the same-subnet constraint, this vulnerability is “not all that difficult to exploit” once network access is established, and the severity should not be underestimated given FreeBSD’s widespread deployment in server and embedded environments.
Affected Versions
All supported versions of FreeBSD are affected. The following release branches were confirmed vulnerable before their respective patch dates:
| Branch | Patched Version |
|---|---|
| FreeBSD 15.0 | 15.0-RELEASE-p7 |
| FreeBSD 14.4 | 14.4-RELEASE-p3 |
| FreeBSD 14.3 | 14.3-RELEASE-p12 |
| FreeBSD 13.5 | 13.5-RELEASE-p13 |
Corrections were committed on April 29, 2026 at 14:47–14:50 UTC across stable/15, stable/14, and stable/13 branches simultaneously.
The FreeBSD Project confirmed that no workaround exists for this vulnerability. The only mitigation short of patching is turning off dhclient entirely, which is not practical for systems that depend on DHCP for network configuration.
Network-level defense is possible but not a substitute for patching. DHCP snooping, a switch-level security feature that restricts DHCP server responses to trusted ports, can prevent rogue servers from delivering malicious offers on managed enterprise switches.
This control is ineffective in environments with unmanaged infrastructure, cloud-based virtual networks, or flat network topologies.
Remediation
The FreeBSD Project has released patches across all affected branches. Administrators should apply updates immediately using one of the following methods:
# pkg upgrade -r FreeBSD-baseMethod 2 – Binary update via freebsd-update (amd64, arm64, i386 on FreeBSD 13):
# freebsd-update fetch
# freebsd-update installMethod 3 – Source patch:
# fetch https://security.FreeBSD.org/patches/SA-26:12/dhclient.patch
# fetch https://security.FreeBSD.org/patches/SA-26:12/dhclient.patch.asc
# gpg --verify dhclient.patch.asc
# cd /usr/src && patch < /path/to/patchAfter applying the source patch, rebuild the OS using buildworld and installworld, then reboot.
This is not the first time FreeBSD’s DHCP client has been targeted. A similar vulnerability, FreeBSD-SA-20:26.dhclient, was disclosed in 2020 and involved a comparable exploitation path via a malicious DHCP server on the same network.
The recurrence of this vulnerability class underscores a systemic concern: DHCP clients inherently process untrusted network input, making robust input validation critical in their implementation.
The April 29, 2026, advisory batch also included FreeBSD-SA-26:13.exec, addressing a separate local privilege escalation vulnerability, signaling an active security review cycle by the FreeBSD security team.
Organizations running FreeBSD in infrastructure roles, including network appliances, storage systems, jails, and embedded platforms powered by FreeBSD derivatives, should treat this patch as Priority 1.
Security teams should audit their DHCP exposure surface, enforce DHCP snooping policies at the network layer, and verify patch status using freebsd-version -u .
FAQ
Q1. What is CVE-2026-42511?
CVE-2026-42511 is a critical FreeBSD dhclient vulnerability that allows a rogue DHCP server on the same subnet to inject and execute arbitrary commands as root via an unescaped BOOTP file field in the lease file.
Q2. Does this vulnerability require physical access to exploit?
No, it only requires network-level access to the same broadcast domain as the target, such as being on the same LAN, VLAN, or Wi-Fi network.
Q3. Is there a workaround if patching is not immediately possible?
There is no official workaround; enabling DHCP snooping on managed switches can reduce risk at the network perimeter, but it is not a substitute for patching.
Q4. Which FreeBSD versions are fixed?
Patched releases include FreeBSD 15.0-RELEASE-p7, 14.4-RELEASE-p3, 14.3-RELEASE-p12, and 13.5-RELEASE-p13, all released on April 29, 2026.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
